[whatwg] meta="encrypt" tag is needed
juuso_html5 at tele3d.net
juuso_html5 at tele3d.net
Thu May 6 05:44:18 PDT 2010
<meta="encrypt" pubkey="ABABAEFEF2626EFEFEF"
pubtool="EC256-AES|RSA2048-AES" passsalt="no|domainname"
auth="verisign">
Please try to fully decrypt the above meta-encrypt tag and *see* how
the browser-server communication could utilize it. (HINT: browser
submits a (session specific) 256bit elliptic curve public key to the
server inside every URI-request AND if the target page has
meta-encrypt tag, the server uses the browser's elliptic curve key
and encrypts the page content with that.) It is very simple, doable
and STATELESS. And in html5 it would eliminate some of the biggest
real life security threats at the internet. If you *could* learn and
instinctly use the above meta-encrypt tag then it should be enough
simple for actual usage.
yes, this suggestion maybe a bit radical, so lets try to find the
positive things first. Meaning if you don't understand or like the
structure immediately shut up and let those who see the light to
express themselves first.
Ok, let me start with the passsalt:
passsalt => salts the password-field value into => SHA-256($password) format
I think the passsalt="(no|domainname)" attribute should also be added
as a form parameter (with a default value lowercase domain name).
Passsalt attribute would prevent the site getting a plain text
password as the browser would 'salt' it by default with a domain name
string. Thus when internet users anyway
use the same passwords on multiple sites, the passsalt will eliminate
hacking into various online accounts user has.
Real life examples & reasons for adding passsalt to html5
1) A finnish site alypaa.com got hacked a month ago. The hacker stole
some 100,000 (unencrypted) user passwords from their database. But
what media noticed first were that many leading politicians had got
their blogs, home pages and Facebook pages defaced.
2) Couple of weeks ago a Russian hacker was selling his user names &
passwords for 1.5 million Facebook accounts.
3) a week ago a new data protection law for Massachusetts was
suggested, basically it says personally identifiable information (that
is usable for identity theft crimes) about Massachusetts residents may
not be stolen or _you_ will get a fine of $5,000 per breach or lost
record.
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
It can be expected that the laws around the world will be going to
that direction as the identity theft problem keeps getting worse. That
passsalt attribute alone would eliminate LOTS of identity thefts and
it is easily doable.
Ok, try to hack the rest of that *beautiful* <meta="encrypt" tag, and
please don't say you instead you can use https / JS or some other
thing that JUST DOESN'T WORK in real life.
Juuso Hukkanen
www.colordev.com
More information about the whatwg
mailing list